LIBE votes for Privacy Shield's suspension: What does it mean?

If yesterday's vote on the current international data-transfer agreement between the EU and U.S. at the Civil Liberties Committee hearing is any indication, Privacy Shield may be inching closer to the fate of its predecessor Safe Harbor, which went down like a punctured vessel in 2015. The question is whether the Commission shares the opinion of Parliament's LIBE Committee.

Further, the committee only narrowly passed its resolution, 29 to 25, to ask the European Commission to suspend Privacy Shield unless the U.S. gets its act together before September 1, citing the deal's failure to adequately protect EU citizens. It said Shield should remain suspended indefinitely "until the U.S. authorities comply with its terms in full." Now the resolution moves to Parliament as a whole, which is likely to vote on it in July, but won't necessarily follow LIBE's lead.

The LIBE vote follows the Facebook/Cambridge Analytica revelations involving the improper handling of user data gleaned from the social network for political purposes and appearances before Parliament by both Facebook CEO Mark Zuckerberg and whistleblower Chris Wylie. Both Cambridge Analytica and Facebook are currently certified under Privacy Shield, which MEPs pointed to as reason the U.S. must do a better job supervising the agreement for it to survive.

LIBE is calling on the U.S. to take action against companies self-certifying under Privacy Shield but in fact using data in nefarious ways "without delay" by removing them from the Privacy Shield list. It also called for EU authorities to investigate and ban data transfers in cases where companies are found to have misrepresented data practices.

While it passed muster in its first annual review, though with some recommendations for improvement, the Shield is up for its second annual review this fall. As that date approaches, said Privacy Shield Director Caitlin Fennessy in a statement to The Privacy Advisor, the U.S. Department of Commerce continues to work closely with the European Commission on implementation, and for good reason: The Department of Commerce has seen more than 1,000 new companies seeking to join the Privacy Shield in just the last month.

"This demonstrates the critical importance of our work together to ensure the Privacy Shield Framework continues to support transatlantic data protection and trade," Fennessy said, adding Commerce has worked to enhance the program as well as its outreach and oversight over the last year. "We look forward to working with all of our European partners in the months ahead and meeting with LIBE Committee representatives during their planned visit to Washington in July.”

LIBE Chair and Rappoertuer Claude Moraes said in a press release, "The LIBE committee today adopted a clear position on the EU US Privacy Shield agreement. While progress has been made to improve on the Safe Harbor agreement, the Privacy Shield in its current form does not provide the adequate level of protection required by EU data protection law and the EU Charter. It is therefore up to the US authorities to effectively follow the terms of the agreement and for the Commission to take measures to ensure that it will fully comply with the GDPR."

Eduardo Ustaran, CIPP/E, of Hogan Lovells, however, said the LIBE vote shouldn't be a surprise to anyone. After all, the European Parliament has been an "ardent critic" of the Privacy Shield from the outset and there's no indication that will change any time soon.

"If anything, this is a reminder that transfers of data outside of the EU, particularly to the U.S., remain an area of political focus," Ustaran said. "The real test will come later this summer when the European Commission and the EDPB issue their respective progress reports after two years of operation. For organizations in the EU and the U.S., those two institutions are the ones that matter when deciding whether to invest in relying on the Privacy Shield to legitimize their data flows."

In just under two years, Privacy Shield already has more than 3,000 certified organizations and is rapidly approaching the number of participating organizations that Safe Harbor gathered in nearly 15 years.

Meanwhile, LIBE also sounded concerns about the U.S.'s recent passage of the Clarifying Lawful Overseas Use of Data Act (known as the CLOUD Act), which allows U.S. law enforcement access personal data overseas.

Tags

1 Comment

Interesting contrast to the statement issued by the EDPS last month that Privacy Shield is becoming less relevant
Privacy Shield less relevant given GDPR, says EU data chief
https://euobserver.com/justice/141886

Related Stories

Servus aus München!
Further to the CNIL fining Google in late January, which sparked much debate in the privacy community across Europe, February also saw some regulatory echoes in Germany through the Bavarian Data Protection Authority, which announced it was considering fining several companies un...

"Companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU." - European Commission
At the time of the adoption of the EU General Data Protection Regulation, the European Commission touted as the benefit for ...

At the time of the adoption of the EU General Data Protection Regulation, the European Commission touted as the benefit for companies that the GDPR would bring a one-stop-shop enforcement mechanism, whereby the supervisory authority of the "main establishment" of such controller or processor in the ...

Dataguise announced Sagi Leizerov, CIPP/US, has become its new senior vice president of enterprise privacy solutions. Leizerov previously served as chief data solution officer at Prifender and as global privacy leader at Ernst & Young. Leizerov is also a member of the IAPP’s board of directors. ...

A company based in Dublin alleges several tech companies have breached a patent it owns for data transfer and storage technology, The Irish Times reports. Data Scape has launched 15 lawsuits in the U.S. against companies such as Amazon, Dropbox, SAP, Pandora and Spotify. The tech and patent company ...

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.